- Cisco Community
- Technology and Support
- Security
- VPN
- Multiple IPSec SA Tunnels | Cisco IOS XE | ASR1000
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-25-2021 04:35 AM - edited 06-25-2021 04:37 AM
Hi Team,
I see way too many IPSec SA tunnels with a remote VPN peer. The ACL is only allowed to bring 3 LAN subnets via the VPN tunnels. (as highlighted)
Any reason why? Thanks in advance!
ASR1K#show crypto ipsec sa peer 81.x.x.x
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 62.x.x.x
protected vrf: hf_test_ar
local ident (addr/mask/prot/port): (10.113.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.121.36.250/255.255.255.255/0/0)
current_peer 81.x.x.x port 500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 62.x.x.x, remote crypto endpt.: 81.x.x.x
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb TenGigabitEthernet0/0/0
current outbound spi: 0x158456(1410134)
PFS (Y/N): Y, DH group: group2
inbound esp sas:
spi: 0x3DDE293F(1037969727)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6785, flow_id: HW:4785, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/2893)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xCDF9447C(3455665276)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6788, flow_id: HW:4788, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/2940)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x3563E7DE(895739870)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6792, flow_id: HW:4792, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/2970)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x72637220(1919119904)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6796, flow_id: HW:4796, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3000)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xFA6BAEA4(4201361060)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6800, flow_id: HW:4800, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3030)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x6C55E5C5(1817568709)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6804, flow_id: HW:4804, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3060)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x95156B4D(2501208909)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6808, flow_id: HW:4808, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3121)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x48EE54F(76473679)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6816, flow_id: HW:4816, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3151)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x7D5BFD12(2103180562)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6822, flow_id: HW:4822, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3181)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x7F9A3563(2140812643)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6826, flow_id: HW:4826, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3211)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x8C4C4DD6(2353810902)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6830, flow_id: HW:4830, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3241)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x7CB6AD26(2092346662)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6836, flow_id: HW:4836, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3302)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x902F0F18(2419003160)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6840, flow_id: HW:4840, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3332)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xE2853812(3800381458)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6844, flow_id: HW:4844, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3362)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x769B1E65(1989877349)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6848, flow_id: HW:4848, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3392)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x931D620B(2468176395)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6852, flow_id: HW:4852, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3422)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x43327B7F(1127381887)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6856, flow_id: HW:4856, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3484)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x286488D1(677677265)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6860, flow_id: HW:4860, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3514)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x902220DC(2418155740)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6864, flow_id: HW:4864, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3544)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x952DCF96(2502807446)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6868, flow_id: HW:4868, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3574)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x185CE8(1596648)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6786, flow_id: HW:4786, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/2893)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x525BFC(5397500)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6787, flow_id: HW:4787, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/2940)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x2CFD06(2948358)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6791, flow_id: HW:4791, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/2970)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x5225F3(5383667)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6795, flow_id: HW:4795, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3000)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x77F7E1(7862241)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6799, flow_id: HW:4799, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3030)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x70B28E(7385742)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6803, flow_id: HW:4803, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3060)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xEF1ACC(15669964)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6807, flow_id: HW:4807, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3121)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x89EC3C(9038908)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6815, flow_id: HW:4815, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3151)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x684E91(6835857)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6821, flow_id: HW:4821, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3181)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x2A28D9(2762969)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6825, flow_id: HW:4825, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3211)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x26E6B7(2549431)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6829, flow_id: HW:4829, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3241)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x189E77(1613431)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6835, flow_id: HW:4835, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3302)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x3F4993(4147603)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6839, flow_id: HW:4839, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3332)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xC0F983(12646787)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6843, flow_id: HW:4843, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3362)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x5AF845(5961797)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6847, flow_id: HW:4847, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3392)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xB3AB03(11774723)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6851, flow_id: HW:4851, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3422)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x9842F9(9978617)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6855, flow_id: HW:4855, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3484)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x27A81B(2598939)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6859, flow_id: HW:4859, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3514)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xEB5CB2(15424690)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6863, flow_id: HW:4863, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3544)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x158456(1410134)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6867, flow_id: HW:4867, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3574)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: hf_test_ar
local ident (addr/mask/prot/port): (10.113.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.121.12.60/255.255.255.255/0/0)
current_peer 81.x.x.x port 500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 62.x.x.x, remote crypto endpt.: 81.x.x.x
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb TenGigabitEthernet0/0/0
current outbound spi: 0x779512(7836946)
PFS (Y/N): Y, DH group: group2
inbound esp sas:
spi: 0x322802D(52592685)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6783, flow_id: HW:4783, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/2890)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x3F6A8375(1063945077)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6790, flow_id: HW:4790, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/2940)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xC7385E5D(3342360157)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6794, flow_id: HW:4794, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/2972)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x8D207B84(2367716228)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6798, flow_id: HW:4798, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3000)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xE0ED61B0(3773653424)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6802, flow_id: HW:4802, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3030)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x32778124(846692644)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6806, flow_id: HW:4806, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3060)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xD331846(221452358)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6810, flow_id: HW:4810, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3121)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x7DF297FD(2113050621)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6818, flow_id: HW:4818, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3151)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x460B99B1(1175165361)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6824, flow_id: HW:4824, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3181)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xB37A9875(3011156085)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6828, flow_id: HW:4828, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3211)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x26BDA40F(649962511)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6832, flow_id: HW:4832, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3241)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x815351BB(2169721275)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6838, flow_id: HW:4838, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3302)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x89E3A00B(2313396235)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6842, flow_id: HW:4842, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3332)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xD80B579E(3624621982)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6846, flow_id: HW:4846, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3362)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xBC2CF956(3157064022)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6850, flow_id: HW:4850, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3392)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xA4AC4F64(2762755940)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6854, flow_id: HW:4854, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3422)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x7034E473(1882514547)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6858, flow_id: HW:4858, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3484)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x7FD26AB(134031019)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6862, flow_id: HW:4862, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3514)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xE6871296(3867611798)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6866, flow_id: HW:4866, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3544)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x6F68AF93(1869131667)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6870, flow_id: HW:4870, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3574)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xE76BE6(15166438)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6784, flow_id: HW:4784, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/2890)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x59D76F(5887855)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6789, flow_id: HW:4789, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/2940)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x4CF212(5042706)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6793, flow_id: HW:4793, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/2972)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x742A6B(7613035)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6797, flow_id: HW:4797, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3000)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x126B24(1207076)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6801, flow_id: HW:4801, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3030)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x36DED(224749)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6805, flow_id: HW:4805, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3060)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x454D13(4541715)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6809, flow_id: HW:4809, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3121)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xC88AAF(13142703)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6817, flow_id: HW:4817, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3151)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x2F9EEA(3120874)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6823, flow_id: HW:4823, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3181)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x8A9F69(9084777)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6827, flow_id: HW:4827, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3211)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xF75029(16207913)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6831, flow_id: HW:4831, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3241)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x807981(8419713)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6837, flow_id: HW:4837, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3302)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x173164(1519972)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6841, flow_id: HW:4841, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3332)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xF86E76(16281206)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6845, flow_id: HW:4845, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3362)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xCE3C90(13515920)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6849, flow_id: HW:4849, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3392)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x5C5FE8(6053864)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6853, flow_id: HW:4853, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3422)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xFE064B(16647755)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6857, flow_id: HW:4857, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3484)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xEFC8C9(15714505)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6861, flow_id: HW:4861, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3514)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x3F6C4D(4156493)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6865, flow_id: HW:4865, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3544)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x779512(7836946)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6869, flow_id: HW:4869, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (1843200/3574)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: hf_test_ar
local ident (addr/mask/prot/port): (10.113.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.125.55.65/255.255.255.255/0/0)
current_peer 81.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 62.x.x.x, remote crypto endpt.: 81.x.x.x
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb TenGigabitEthernet0/0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: hf_test_ar
local ident (addr/mask/prot/port): (10.113.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.121.36.250/255.255.255.255/0/0)
current_peer 81.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 62.x.x.x, remote crypto endpt.: 81.x.x.x
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb TenGigabitEthernet0/0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: hf_test_ar
local ident (addr/mask/prot/port): (10.113.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.121.12.60/255.255.255.255/0/0)
current_peer 81.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 62.x.x.x, remote crypto endpt.: 81.x.x.x
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb TenGigabitEthernet0/0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
ASR1K#
Solved! Go to Solution.
- Labels:
-
Other VPN Topics
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-28-2021 02:08 AM
Hi @Rob Ingram ,
Yes. Phase 2 timers mismatch and wrong wildcard mask on the ACL.
Hope this is of any help
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-25-2021 04:48 AM - edited 06-25-2021 04:51 AM
Yes and they all have different SPI and conn ID, it could be continually renegotiating the SAs without clearing the old SA.
I assume this is not working as there are no encaps|decaps?
What is the peer device?
Is this a new VPN tunnel, if not has it ever worked correctly?
FYI, 3DES, SHA and DH group 2 are weak. Cisco has started to depreciate these weaker algorithms, if possible start planning to replace with stronger algorithms.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-25-2021 05:14 AM
Hi @Rob Ingram ,
Any reason why they have multiple SPI and Conn IDs generate?
The IPSec works - possibly because one of the IPSec SA's work (Please refer to the attached full "show crypto ipsec sa")
The peer device is Huawei - I have requested from Huawei as well
https://forum.huawei.com/enterprise/en/multiple-ipsec-sa-tunnels-established-ar1200/thread/751087-867
The VPN worked fine before. I started noticing these multiple IPSec SA's since few days ago. Nothing changed really.
Following is a sample of the config I have.
ASR1K#show run interface tunnel1
Building configuration...
Current configuration : 365 bytes
!
interface Tunnel1
description IPSec HF_Test_AR
vrf forwarding hf_test_ar
ip unnumbered Port-channel1.1760
zone-member security HF_TEST_AR
tunnel source Loopback2
tunnel mode ipsec ipv4
tunnel destination 81.x.x.x
tunnel vrf FVRF
tunnel protection ipsec policy ipv4 IPSec_ACL_HF_Test_AR
tunnel protection ipsec profile IPsec_Profile_HF_Test_AR
end
ASR1K#
ASR1K#show ip access-lists IPSec_ACL_HF_Test_AR
Extended IP access list IPSec_ACL_HF_Test_AR
10 permit ip 10.113.0.0 0.0.255.255 host 10.121.12.60
20 permit ip 10.113.0.0 0.0.255.255 host 10.121.36.250
30 permit ip 10.113.0.0 0.0.255.255 host 10.125.55.65
ASR1K#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-25-2021 05:26 AM
Check your IOS-XE version to determine if there is a bug related to this issue.
Check your lifetime timers on both devices are identical. Clear the crypto ipsec sas on both devices and observe whether multiple SAs are recreated over time.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-25-2021 05:48 AM
can we see the config of IPSec profile ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-25-2021 08:51 AM - edited 06-25-2021 09:46 AM
Hi @MHM Cisco World @Rob Ingram
Thank you both guys.
It was a mismatch on the Huawei End. Thank you very much for your support!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-25-2021 10:22 AM
@kasunrajapakse To help others who may view this post, what was mismatched? the lifetime timers?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-28-2021 02:08 AM
Hi @Rob Ingram ,
Yes. Phase 2 timers mismatch and wrong wildcard mask on the ACL.
Hope this is of any help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide